Oracle patches critical 0-day with new Java update
Oracle has released Java 7 Update 11, the computing platform’s newest version that patches the recently discovered and currently widely misused zero-day vulnerability, an exploit for which has been added to a number of popular exploit kits.
This new version also sets the default security level for Java applets and web start applications to “High,” so the user is always prompted before any unsigned Java applet or Java Web Start application is run.
Oracle recommended to all users to update Java as soon as possible, but it took no time at all for security researchers to analyze the update and declare it flawed.
Security Explorations’ CEO Adam Gowdiak claims that it leaves a number of critical security flaws unpatched, and Metasploit creator HD Moore believes it best for users to disable Java as it could take two years for Oracle to fix the flaws found in the Java version used to browse the Internet.
“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” concluded Moore.
In the meantime, Apple has disabled the Java 7 plug-in on OS X, and Mozilla has enabled “Click To Play” for recent versions of Java on all platforms, ensuring that the Java plugin will not load unless a user specifically clicks to enable the plugin.
By now you’re probably wondering whether you have Java on your computer and how to disable it. The first question will be answered for you if you visit this site, and you can consult Oracle’s own instructions on how to disable Java on your computer or in particular web browsers.